#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
#   to and from the internal interface.
# * NAT is enabled on the external interface.

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

#Flush all rules
$IPTABLES -F 
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow 4949 on other interfaces for munin
$IPTABLES -A INPUT -p tcp -m tcp --dport 4949 --syn -j ACCEPT

#Allow transparent proxy
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

#Allow ssh to tunnel interface
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

#Allow transparent proxy
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Capture log
$IPTABLES -t nat 	-N logging 
$IPTABLES -t nat 	-A PREROUTING 			-j logging 
$IPTABLES -t nat 	-A POSTROUTING 			-j logging 
# $IPTABLES 		-A INPUT 			-j LOG --log-level info 	--log-prefix "INPUT" 
# $IPTABLES 		-A OUTPUT			-j LOG --log-level info 	--log-prefix "OUTPUT" 
# $IPTABLES 		-A FORWARD			-j LOG --log-level info 	--log-prefix "FORWARD" 
$IPTABLES -t nat 	-A logging -p tcp --dport 443 	-j LOG --log-prefix "HTTPS:" 	--log-level info 	
$IPTABLES -t nat 	-A logging -p tcp --dport 25 	-j LOG --log-prefix "SMTP:" 	--log-level info 
$IPTABLES -t nat 	-A logging -p tcp --dport 21 	-j LOG --log-prefix "FTP:" 	--log-level info 
$IPTABLES -t nat 	-A logging -p tcp --dport 143 	-j LOG --log-prefix "IMAP:" 	--log-level info
$IPTABLES -t nat 	-A logging -p tcp --dport 110 	-j LOG --log-prefix "POP3:" 	--log-level info 
$IPTABLES -t nat 	-A logging -p tcp --dport 1863 	-j LOG --log-prefix "MSN:" 	--log-level info 
$IPTABLES -t nat 	-A logging -p tcp --dport 6667 	-j LOG --log-prefix "IRC:" 	--log-level info 
$IPTABLES -t nat 	-A logging -p tcp --dport 22 	-j LOG --log-prefix "SSH:" 	--log-level info 
$IPTABLES -t nat 	-A logging -p tcp --dport 23 	-j LOG --log-prefix "TELNET:" 	--log-level info
